Developer Site That Was Used To Hack Facebook And Apple Issues Mea Culpa

The recent hacker breaches of high-profile tech firms including Facebook and Apple began with the compromise of another site you've likely never heard of: iPhoneDevSDK.com. And now that initial victim in the hacking spree is coming clean.

"Today, we were alerted that our site was part of an elaborate and sophisticated attack whose victims included large internet companies," wrote iPhoneDevSDK co-founder Ian Sefferman in a blog post on his popular mobile developer forum site Tuesday. Sefferman said that he only learned of the attack from a post on AllThingsD, which first reported the site's involvement. "Prior to this article, we had no knowledge of this breach and hadn't been contacted by Facebook, any other company, or any law enforcement about the potential breach."

Sefferman confirms that his site was used in a so-called "watering hole" attack that infected several of Facebook's computers and possibly those of other companies' with malicious software when they visited. Sefferman writes that an administrator account for the site was hijacked to add javascript code that "appears to have used a sophisticated, previously unknown exploit to hack into certain user's computers."

According to Facebook and Apple, which was reported Tuesday to have been targeted in the same attack, that "previously unknown exploit" took advantage of a bug in Oracle's Java plug-in in victims' browsers. Twitter, which revealed earlier that it was the victim of a similar breach, also hinted at the time that Java was involved in its compromise. A report Tuesday from Bloomberg newswires said that as many as 40 companies may have been targeted, and that the hackers seem to be based in Eastern Europe, citing unnamed sources close to a law enforcement investigation of the breaches.

Sefferman says that iPhoneDevSDK has determined that the exploit was removed by the hacker on January 30th. And the site has reset all users' passwords to prevent the hijacked administrator's account from changing its code again. Nonetheless, users should exercise caution visiting iPhoneDevSDK.com, and be sure to disable the Java plug-in in their browser if they do. (In fact, you should probably disable Java in your browser regardless.)

Like Facebook and Apple, iPhoneDevSDK says it believes that none of its own user data was compromised--cold comfort to the tech firms whose employees' computers were hacked via the site.

"We're very sorry for the inconvenience," Sefferman writes. "We'll work tirelessly to ensure your data's security now and in the future."